How to Demonstrate Compliance With GDPR Article 31

Cooperation With the Supervisory Authority

Book a demo

young,business,people,group,have,meeting,and,working,in,modern

GDPR Article 31 outlines the legal obligation that an organisation has to cooperate with the supervisory authority, whomever that may be.

GDPR Article 31 Legal Text

EU GDPR Version

Cooperation with the supervisory authority

The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.

UK GDPR Version

Cooperation with the commissioner

The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the Commissioner in the performance of the Commissioner’s tasks.

ISO 27701 Clause 5.2.2 (Understanding the Needs and Expectations of Interested Parties) and EU GDPR Article 31

PII and privacy protection has the potential to impact a large number of employees, users, customers, both internally and externally.

Organisations need to gain a firm understanding of the needs of any affected personnel and what ISO deems as ‘interested parties’.

Organisation’s need to establish and document:

  • Any ‘interested parties’ that are relevant the broader topic of privacy protection.
  • What the unique requirements are of said individuals within the scope of a PIMS.

Organisations should also take into account any legal, regulatory or contractual obligations, alongside practical and operational requirements.

When implementing a PIMS, organisations need to map out a list of interested parties that are either affected by a PIMS, or have a role to play in processing PII.

Where PII is concerned, an interested party could be one of the following (but not limited to):

  • An employee.
  • A customer.
  • Regulatory, judicial or supervisory authorities.
  • Other PII controllers and processors.

It’s important to note that PII requirements – as related to a PIMS – often emanate from a wide range of sources, including:

  1. Internal processes and goals.
  2. Governmental and/or regulatory bodies.
  3. Contractual obligations with third-party organisations.

It can often be difficult for governing and regulatory organisations to confirm adherence to published privacy protection standards on the part of an organisation, in its role as a PII processor and controller.

As such, organisations need to expect such bodies to call for independent reviews of any relevant Management System, in order to satisfy their own auditing requirements.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Article 31ISO 27701 5.2.2None

How ISMS.online Helps

GDPR is one of the world’s toughest privacy and security regulations, with significant fines for violations. Accordingly, organisations are required to protect personal data in a ‘reasonable’ manner.

But here’s the good news.

ISMS.online helps you demonstrate a level of protection that exceeds ‘reasonable’ in a secure, always-on location.

Data mapping made easy.

We make data mapping a simple task. By adding your organisation’s details to our preconfigured dynamic Records of Processing Activity tool, you can easily record and review it all.

If the worst happens, you’ll be ready.

With our tools, you can plan, communicate, document, and learn from every breach.

Find out more by booking a 30 minute demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

Explore ISMS.online's platform with a self-guided tour - Start Now